You are here:

Debugging and analysing Windows NT programs at the binary level

In recent years, civilian and military organisations have been using Commercial-Off-The-Shelf (COTS) software more and more instead of developing their own software. Even though this approach offers many advantages in terms of development delays and costs, it causes great concern when it comes to security assurance since it is much more difficult to test software when the source code is not available, as is the case for most COTS software. In 1997, a project called MaliCOTS was initiated to investigate ways of detecting and eliminating the threat caused by malicious codes that could be present in COTS programs. This report represents a first step toward overcoming the technical difficulties associated with a dynamic approach in which one directly monitors the execution of the program. To monitor a program's execution at the binary level, basic knowledge of assembly language programming is required. It is also preferable to have a good understanding of the architecture of the operating system in use - in this case Windows NT running on an Intel machine. Finally, to be able to control a program's execution and look at its private data, it is necessary to know how to implement a debugger. This report presents information that was gathered from numerous heterogeneous sources and experimentation, thus allowing a programmer to implement and use a simple debugger that works at the binary level in Windows NT.